Krebs on Security

In-depth security news and investigation

Posts Tagged: EAST

ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls “deep insert skimmers,” wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.

KrebsOnSecurity’s All About Skimmers series has featured several stories about insert skimmers. But the ATM manufacturer said deep insert skimmers are different from typical insert skimmers because they are placed in various positions within the card reader transport, behind the shutter of a motorized card reader and completely hidden from the consumer at the front of the ATM.

Deep insert skimmers removed from hacked ATMs.

NCR says these deep insert skimming devices — usually made of metal or PCB plastic — are unlikely to be affected by most active anti-skimming jamming solutions, and they are unlikely to be detected by most fraudulent device detection solutions.

“Neither NCR Skimming Protection Solution, nor other anti-skimming devices can prevent skimming with these deep insert skimmers,” NCR wrote in an alert sent to banks and other customers. “This is due to the fact the skimmer sits well inside the card reader, away from the detectors or jammers of [NCR’s skimming protection solution].

The company said it has received reports of these skimming devices on all ATM manufacturers in Greece, Ireland, Italy, Switzerland, Sweden, Bulgaria, Turkey, United Kingdom and the United States.

“This suggests that ‘deep insert skimming’ is becoming more viable for criminals as a tactic to avoid bezel mounted anti-skimming devices,” NCR wrote. The company said it is currently testing a firmware update for NCR machines that should help detect the insertion of deep insert skimmers and send an alert.

A DEEP DIVE ON DEEP INSERT SKIMMERS

Charlie Harrow, solutions manager for global security at NCR, said the early model insert skimmers used a rudimentary wireless transmitter to send card data. But those skimmers were all powered by tiny coin batteries like the kind found in watches, and that dramatically limits the amount of time that the skimmer can transmit card data.

Harrow said NCR suspects that the deep insert skimmer makers are using tiny pinhole cameras hidden above or beside the PIN pad to record customers entering their PINs, and that the hidden camera doubles as a receiver for the stolen card data sent by the skimmer nestled inside the ATM’s card slot. He suspects this because NCR has never actually found a hidden camera along with an insert skimmer. Also, a watch-battery run wireless transmitter wouldn’t last long if the signal had to travel very far. Continue reading →

Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.

Two network cable card skimming devices, as found attached to this ATM.

In a series of recent alerts, the FICO Card Alert Service warned of large and sudden spikes in ATM skimming attacks. On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATM compromises in 2015 was the highest ever recorded by the FICO Card Alert Service, which monitors hundreds of thousands of ATMs in the US,” the company said. “Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014.”

While 2014 saw skimming attacks targeting mainly banks in big cities on the east and west coasts of the United States, last year’s skimming attacks were far more spread out across the country, the FICO report noted.

Earlier this year, I published a post about skimming attacks targeting non-bank ATMs using hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. The skimmer pictured in that story was at a 7-Eleven convenience store.

Since that story ran I’ve heard from multiple banking industry sources who said they have seen a spike in ATM fraud targeting cash machines in 7-Elevens and other convenience stores, and that the commonality among the machines is that they are all operated by ATM giant Cardtronics (machines in 7-Eleven locations made up for 17.5 percent of Cardtronics’ revenue last year, according to this report at ATM Marketplace).

Some financial institutions are taking dramatic steps to head off skimming activity. Trailhead Credit Union in Portland, Ore., for example, has posted a notice to customers atop its Web site, stating:

“ALERT: Until further notice, we have turned off ATM capabilities at all 7-11 ATMs due to recent fraudulent activity. Please use our ATM locator for other locations. We are sorry for the inconvenience.”

Trailhead Credit Union has stopped allowing members to withdraw cash from 7-11 ATMs.

7-Eleven did not respond to requests for comment. Cardtronics said it wasn’t aware of any banks blocking withdrawals across the board at 7-11 stores or at Cardtronics machines.

“While Cardtronics is aware that a single financial institution [Xceed Financial Credit Union] temporarily restricted ATM access late in 2015, it soon thereafter restored full ATM access to its account holders,” the company said in a statement. “As the largest ATM services provider, Cardtronics has a long history of executing a layered security strategy and implementing innovative security enhancements at our ATMs. As criminals modify their attack, Cardtronics always has and always will aggressively respond, reactively and proactively, with innovation to address these instances.” Continue reading →

Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR’s photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:

A hole left by crooks who added “wiretapping” or “eavesdropping” theft devices to a compromised ATM. Image: NCR.

“In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

“Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This [technique] has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.Continue reading →

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by “wire-tapping” or “eavesdropping” on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks.

Equipment used by crooks to conduct “eavesdropping” or “wiretapping” attacks on ATMs. Source: EAST.

“The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
[pictured, bottom right].

Pictured above are what appear to be wires that are fed into the machine with some custom-made rods. It looks like the data is collected by removing the decal, fishing out the wire attached to the ATM’s card reader, and connecting it to a handheld data storage device.

I sought clarification from EAST about how the device works. Most skimmers are card slot overlay devices that work by using a built-in component which reads the account data off of the magnetic stripe when the customer inserts the card. But Lachlan Gunn, EAST’s executive director, suggested that this device intercepts the card data from the legitimate card reader on the inside of the ATM. He described the wiretapping device this way:

“It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”

The last report in my ATM skimming series showcased some major innovations in so-called “insert skimmers,” card-skimming devices made to fix snugly and invisibly inside the throat of the card acceptance slot. EAST’s new report includes another, slightly more advanced, insert skimmer that’s being called an “insert transmitter skimmer.”

Like the one pictured below, an insert transmitter skimmer is made up of two steel plates and an internal battery that lasts approximately one to two weeks. “They do not store data, but transmit it directly to a receiving device — probably placed less than 1 meter from the ATM. Continue reading →

This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad.

Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR’s global marketing director, security compliance solutions.

Wild said ATM malware is here to stay and is on the rise.

BK: I have to say that if I’m a thief, injecting malware to jackpot an ATM is pretty money. What do you make of reports that these ATM malware thieves in Malaysia were all knocking over NCR machines?

OW: The trend toward these new forms of software-based attacks is occurring industry-wide. It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems. In this particular situation for the [Malaysian] customer that was impacted, it happened to be an attack on a Persona series of NCR ATMs. These are older models. We introduced a new product line for new orders seven years ago, so the newest Persona is seven years old.

BK: How many of your customers are still using this older model?

OW: Probably about half the install base is still on Personas.

BK: Wow. So, what are some of the common trends or weaknesses that fraudsters are exploiting that let them plant malware on these machines? I read somewhere that the crooks were able to insert CDs and USB sticks in the ATMs to upload the malware, and they were able to do this by peeling off the top of the ATMs or by drilling into the facade in front of the ATM. CD-ROM and USB drive bays seem like extraordinarily insecure features to have available on any customer-accessible portions of an ATM.

OW: What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.

BK: Unattended….meaning they’re not inside of a bank or part of a structure, but stand-alone systems off by themselves.

OW: Correct.

BK: It seems like the other big factor with ATM-based malware is that so many of these cash machines are still running Windows XP, no?

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

OW: Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play. Continue reading →

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard. Continue reading →

Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here’s a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year.

According to a new report from the European ATM Security Team (EAST), a novel form of mini-skimmer was reported by one country. Pictured below is a device designed to capture the data stored on an ATM card’s magnetic stripe as the card is inserted into the machine. While most card skimmers are made to sit directly on top of the existing card slot, these newer mini-skimmers fit snugly inside the card reader throat, obscuring most of the device. This card skimmer was made to fit inside certain kinds of cash machines made by NCR.

A mini-skimmer designed to slip inside of an NCR ATM’s card acceptance slot. Image: EAST.

The miniaturized insert skimmer above was used in tandem with a tiny spy camera to record each customer’s PIN. The image on the left shows the hidden camera situated just to the left of the large square battery; the photo on the right shows the false ATM fascia that obscures the hidden camera as it was found attached to the compromised ATM (notice the tiny pinhole at the top left edge of the device).

The hidden camera used in tandem with the insert skimmer. Source: EAST.

EAST notes that the same country which reported discovering the skimmer devices above also found an ATM that was compromised by a new type of translucent insert skimmer, pictured below.

A translucent mini-skimmer made to sit (mostly) inside of an ATM’s card acceptance slot. Source: EAST.

Experts in the United States and Europe are tracking a marked increase in ATM skimmer scams. But let’s hope that at least some of that is the result of newbie crooks who fail as hard as the thief who tried to tamper with a Bank of America ATM earlier this week in Nashville.

Nashville police released a series of still photos (which I made into a slideshow, below) that show a man attaching a card skimming device to a local ATM, and then affixing a false panel above the PIN pad that includes a tiny video camera to record victims entering their PINs. According to Nashville NBC affiliate WSMV.com, this scammer’s scheme didn’t work as planned: The card skimmer overlay came off of the ATM in the hands of the first customer who tried to use it.

As you can see in the image montage, the first would-be victim arrives less than seven minutes after the thief installs the skimmer. The story doesn’t state this, but the customer who accidentally pulled the card skimmer off of the ATM actually drove off with the device. Interestingly, the fraudster returns a few minutes later to salvage what’s left of his kit (and perhaps his pride).

As lame as this ATM skimming attempt was, a few aspects of this crime are worth highlighting because they show up repeatedly in skimming attacks. One is that the vast majority of skimming devices are installed on Saturdays and Sundays, when the crooks know the banks will be closed for at least a day. As a result, you have a much higher chance of encountering a skimmer if you regularly use ATMs on a weekend.

Second, the thieves who install these fraud devices very often are lurking somewhere nearby — to better keep an eye on their investments. If you ever happen to discover a skimming device attached to an ATM, just remember that while walking or driving off with the thing might seem like a good idea at the time, the miscreant who put it there may be watching or following you as you depart the ATM area.

Once or twice a month I am interviewed by various news outlets about ATM skimming attacks, and I’m nearly always asked for recent figures on the incident and cost of these crimes. Those stats are hard to come by; I believe the last time the U.S. Secret Service released figures about the crime, it estimated that annual losses from ATM fraud totaled about $1 billion, but that was for 2008.

Source: Verizon

Today’s figures are almost certainly higher. On Tuesday, Verizon Enterprise Solutions released its annual data breach investigations report, a deep dive into more than 620 data breaches from the past year. Interestingly, this year’s report shows that of the Top 20 Threat Actions the company tracked across all of the breaches from 2012, physical tampering was the most frequent cause — present in more than 30 percent of all incidents detailed in the report.

“Physical tampering is our way of categorizing the installation of a skimming device, and that was the number one threat action out of everything we looked at,” said Wade Baker, managing principal of RISK intelligence at Verizon. “If you look at the last two [Verizon annual] reports, a large majority of the data set was the point-of-sale intrusions at small organizations such as retail establishments and restaurants, and those are actually a much smaller portion of our data set this time.”

Credit and debit card skimmers aren’t just for ATMs anymore. According to European anti-fraud experts, innovative skimming devices are turning up on everything from train ticket kiosks to parking meters and a host of other unattended payment terminals.

Recently, at least five countries reported skimming attacks against railway or transport ticket machines, according to the European ATM Security Team (EAST), a not-for-profit organization that collects data on skimming attacks. Two countries reported skimming attacks at parking machines, and three countries had skimming incidents involving point-of-sale terminals. EAST notes that Bluetooth devices increasingly are being used to transit stolen card and PIN data wirelessly.

Skimming devices found at train ticket kiosks in Europe. Source: EAST

The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.

Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.

Security experts with the European ATM Security Team (EAST) say five countries in the region this year have reported card trapping incidents. Such attacks involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

These devices were made to capture the ATM user’s card after the user withdrawals cash. Credit: EAST.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country – despite warning messages that appear on the ATM screen or are displayed on the ATM fascia – customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale
transactions.”

According to EAST, most card trapping incidents take place outside normal banking hours with initial fraudulent usage taking place within 10 minutes of the card capture (balance inquiry and cash withdrawal at a nearby ATM), followed by point-of-sale transactions.

A twist on this attack involves “cash traps,” often claw-like contraptions that thieves insert into the cash-dispensing slot which are capable of capturing or skimming some of the dispensed bills. Here are a few pictures of a cash-trapping device from an EAST report released earlier this year.